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(54) Method for controlled access to a secured system 

(57) In order to gain access to a secured system, a 
user must be able to enter valid user identification infor- 
mation and must also have a remote wireless communi- 
cation device such as a pager or cellular telephone 
having a numb e r that i s substantial l y un i qu e to that 



user. When the user requests access to the secured 
system, the system places a call to the user's remote 
wireless communication device and sends that device 
revalidation information such as a random number gen- 
erated by the secured system. The user must return the 
revalidation information to the secured system to gain 
access. In an alternative embodiment, another person 
(a user-approver) has the remote wireless communica- 
tion device and must return the revalidation information 
to the secured system if the user-approver approves the 
user's request for access. 
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Description 

Background of the Invention 

This invention relates to security for controlled s 
access systems (which can, if desired, be systems that 
are accessible from remote locations). Examples of sys- 
tems that can make use of this invention are computer 
systems, transaction processing systems, voice mail 
and voice response systems, and the like. The security 
aspect of the invention relates to ensuring that a person 
who is attempting to gain access to the secured system 
is authorized to do so. 

Many types of controlled access systems are 
known. Most such systems employ some form of secu- 
rity to reduce the risk of an unauthorized person gaining 
access to and making use of the system. For example, 
a system may require someone who is attempting to 
use the system to first enter some form of user-identifi- 
cation ("user-id"), personal identification number ("pin"), 
an/or password. Such intangible security information 
can sometimes be misappropriated, for example, by the 
misappropriator observing the authorized user's entry 
of the security information. Other situations may warrant 
a higher level of security than can be provided by just 
intangible security information of the type described 
above. For example, an administrative or super user of 
a computer system or a voice mail or voice response 
system may require a higher level of security. Similarly, 
higher level or administrative access to a secured build- 
ing, a priso n , a n ai r p or t, a mi l i t a r y i nstall ati on , or other 
high security location may require a higher level of secu- 
rity. 

It is therefore an object of this invention to provide 
improved security for controlled access Systems. 

It is a more particular object of this invention to pro- 
vide security for controlled access systems which 
requires more than mere possession of intangible infor- 
mation in order for a person to gain access to the sys- 
tem. 

Summary of the Invention 

These and other objects of the invention are 
accomplished in accordance with the principles of the 
invention by providing security for controlled access 
systems which requires a person (i.e., a "user") attempt- 
ing to gain access to the system to have a particular 
wireless remote communication device such as a pager 
and to enter into the system information the system 
requests the user to enter via the wireless remote com- 
munication device. For example, the user may establish 
a modem connection from a personal computer to the 
secured system. The user may than enter user-identify- 
ing information to the secured system via the modem 
connection, rf the secured system recognizes the user- 
identifying information as valid, the system causes 
revalidating information to be sent to the user via 



another separate communication channel. In an espe- 
cially preferred embodiment the revalidating information 
is sent to a particular pager which the user must have in 
order to receive that information. The system then gives 
the user an opportunity to send the revalidating informa- 
tion back to the system (e.g., via the modem connec- 
tion). The system allows the user the requested access 
to the system only if the user is able to send back the 
revalidating information. If the user has the particular 
wireless remote communication device required to 
receive the revalidating information, the user is able to 
receive and send back that information and thereby gain 
access to the secured system. If the user does not have 
the required wireless remote communication device, the 
user cannot receive and resend the revalidating infor- 
mation, and the user therefore cannot gain access to 
the secured system. 

In another aspect of the invention the wireless 
remote communication device is intended to be in the 
possession of a person other than the user. This other 
person (a "user-approver") receives the revalidating 
information from the secured system and retransmits 
that information to the system if the user access request 
appears to be in order. In this case, to facilitate decision- 
making by the user-approver, the system may addition- 
ally send to the user-approver information about the 
user (e.g., an identification of the user and information 
about the location from which the user is attempting to 
gain access to the system). 

Further features of the invention, its nature and var- 
ious advantag e s will b e mor e apparent from th e accom- 
panying drawings and the following detailed description 
of the preferred embodiments. 

Brief Description of the Prawinqs 

FIG. 1 is a simplified block diagram of illustrative 
apparatus which can be operated in accordance with 
this invention. 

FIGS. 2a-c (collectively referred to as FIG. 2) are a 
flow chart of steps for carrying out an illustrative embod- 
iment of the methods of this invention. 

FIG. 3 is a view similar to FIG. 1 showing alternative 
illustrative apparatus which can be operated in accord- 
ance with this invention. 

FIG. 4 is another view similar to FIGS. 1 and 3 
showing further alternative illustrative apparatus which 
can be operated in accordance with this invention. 

FIGS. 5a-c (collectively referred to as FIG. 5) are a 
flow chart of steps for carrying out another illustrative 
embodiment of the methods of this invention. 

Detailed Description of the Preferred Embodiments 

In the illustrative embodiment shown in FIG. 1 a 
user 10 requests access to secured system 30 via com- 
munication link 20. For example, secured system 30 
may be a computer system or network, and the user 
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may have a personal computer (included within box 10) 
from which the user may wish to access system 30. 
Communication link 20 may be a modem connection 
which the user establishes through the commercial tele- 
phone network when the user wishes to use system 30. 
It will be understood that these examples are only illus- 
trative, and that many other types of user equipment 1 0, 
secured systems 30. and communication links 20 are 
possible. 

When the user first establishes communication link 
20. the user is typically required by system 30 to enter 
information which identifies the user. For example, the 
user may be required to enter user id. pin. and/or pass- 
word information. For convenience herein, all such infor- 
mation is referred to as "user identification information." 
System 30 checks the validity of the user identification 
information, and if that information is valid, system 30 
continues on as described below with the process of 
making sure that the user is in fact entitled to access to 
the system. On the other hand, if system 30 finds that 
the user identification information supplied by the user 
is not valid (e.g.. it does not correspond to any informa- 
tion in a list of valid user identifications stored in system 
30), then system 30 may either terminate connection 20 
or prompt the user to try again, and if after a predeter- 
mined number of attempts the user is still not able to 
enter valid user identification information, then system 
30 may terminate connection 20. 

If system 30 finds that the user identification infor- 
mation entered by user 10 is valid (and assuming that 
the user and/or type of access requested by the user 
requires further user validation), system 30 identifies a 
particular wireless remote communication device 70 
that this particular user must have. For example, the 
user may be required to have a pager with a particular 
pager number or a cellular telephone with a particular 
telephone number. For convenience herein, any such 
wireless remote communication device 70 that user 10 
is required to have will be said to have a "wireless 
remote communication device number" or "activation 
number via which device 70 can be substantially 
uniquely activated. Thus system 30 identifies the wire- 
less remote communication device number of the 
device 70 that user 10 must have in order to gain access 
to system 30. Preferably, each user 10 is associated 
with a device 70 having a unique or substantially unique 
wireless remote communication device number. 

When system 30 has identified the number of the 
device 70 that user 10 must have, system 30 sends a 
message (via communication link 40) to the wireless 
communication system 50 that can communicate with 
device 70. This message from system 30 instructs sys- 
tem 50 to call device 70 (via wireless communication 
link 60) and to send it a message that user 1 0 must 
send back to system 30 in order to gain access to sys- 
tem 30. For example, system 30 may generate a ran- 
dom or substantially random number (e.g., a 
substantially random telephone number) for system 50 



to send to device 70 via communication link 60. Device 
70 may receive this message and display it for user 10 
as indicated by link 80. Alternatively, link 80 may be an 
audio link. When user 10 receives this message, the 

5 user sends it back to system 30, for example, via com- 
munication link 20. Alternatively, user 10 may send this 
message back to system 30 in another way (e.g., via 
elements 70, 60, 50, and 40, if those elements are such 
as to permit bi-directional communication). When sys- 

io tern 30 receives back from user 1 0 the revalidating mes- 
sage it has sent, system 30 opens system access to the 
user. 

If desired, any or all of communication links 20. 40, 
and 60 can be protected by conventional security meth- 

15 ods such as message encryption or password 
exchange to ensure that messages are authentic and to 
lessen the risk of interception by a third party. 

FIG. 2 shows an illustrative sequence of steps in 
accordance with this invention for operating the appara- 

20 tus of FIG. 1 as described above. To some extent these 
steps have already been mentioned, and so the discus- 
sion of them here can be somewhat abbreviated. 

in step 110 user 10 requests access to secured 
system 30 via communication link 20. As mentioned 

25 above, this generally includes the user supplying some 
user identification information to system 30. 

In step 112 system 30 determines whether the user 
identification information supplied by user 10 is valid 
information for an authorized user. To do this, system 30 

30 may compare the user identification information sup- 
plied by the user to a list of such information for all 
authorized users. Th e s teps shown i n FIG. 2 as s ume 
that the user passes this test but rf not, system 30 may 
perform additional steps (suggested above) to prompt 

35 the user to try again or to disconnect the user (either 
immediately or after a predetermined number of unsuc- 
cessful re- tries by the user). 

Also in step 1 12 (and assuming that the user has 
supplied valid user identification information), system 

40 30 determines whether this user and/or this user's 
access request necessitate revalidation. In other words, 
some users may only be entitled to a relatively low level 
of access to system 30, which can be granted without 
further security precautions. Or in some cases a user 

45 who might otherwise require more security precautions 
may request only a low level of access, and so in this 
case no further security precautions are needed. For 
the most part, however, the steps shown in FIG. 2 
assume that the user and/or the user's access request 

so warrant further security precautions before system 30 
grants the requested access. Thus it is assumed that 
steps 1 14 et seq. should be performed. 

In step 114 system 30 identifies the "activation 
number" of the wireless remote communication device 

55 70 that user 10 should have in order to gain access to 
system 30. If device 70 is a pager, this is the number 
which must be called to reach that pager. If device 70 is 
a cellular telephone, this is the number of that teJe- 
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In step 1 16 system 30 generates revalidation infor- 
mation which is to be sent to user 10 via elements 40, 
50, 60, and 70. For example, this revalidation informa- 
tion may be a random or substantially random number s 
(e.g.. a random or substantially random telephone 
number). 

In step 118 system 30 commands wireless commu- 
nication system 50 to call the user's device 70 and to 
transmit the revalidation information to that device. 

In step 120 the user's device 70 receives the revali- 
dation information from system 30 via system 50, and in 
step 122 device 70 supplies the received revalidation 
information to the user. 

In step 1 24 system 30 prompts the user to enter the 
revalidation information received from device 70. Such a 
prompt may not be necessary in some cases, and so 
this step can be optional. 

In step 126 the user enters into system 30 the 
revalidation information that the user has received from 
device 70. Depending on the structure of the overall 
system, this entry of information by the user may be 
either via communication link 20 or via a return channel 
through elements 70, 60, 50, and 40. For example, if 
device 70 is a pager with no answer-back capabilities, 
step 126 may be carried out via communication link 20. 
On the other hand, if device 70 is a pager with answer- 
back capabilities or a cellular telephone, step 126 may 
be carried out via elements 70, 60, 50, and 40. 

In step 128 system 30 compares the revalidation 
in f o r ma t io n i t se n t ou t in st eps 1 1 G and 11 0 to th e revali- 
dation information returned to it in step 126. if there is a 
match, then in step 130 control passes to step 134 in 
which system 30 allows access to the user. On the other 
hand, if there is no match of the revalidation information, 
then in step 130 control passes to step 132 where sys- 
tem 30 denies access to the user (e.g., by disconnect- 
ing the user after sending the user an appropriate 
message). 

The process ends in step 136. 

The order of some of the steps in FIG. 2 is not criti- 
cal. For example, step 124 (in which system 30 prompts 
the user to enter the revalidation information) can occur 
earlier in the process (e.g., between steps 116 and 
118). Such earlier occurrence may be desirable to 
remind the user to be ready to receive the revalidation 
information via device 70. For example, the user may 
have to turn on device 70 in order to render it operable, 
and an early prompt step 124 may be helpful in that 
regard. 

FIG. 3 shows an alternative form of the apparatus 
shown in FIG. 1 . FIG. 3 is similar to FIG. 1 except that 
FIG. 3 expressly shows that elements 40', 50', 60', 70', 
and 80' permit two-way communication from system 30 
to user 10 and back to system 30. Thus FIG. 3 expressly 
shows the type of overall system in which the revalida- 
tion information sent out by system 30 via elements 40\ 
50', 60*. 70'. and 80' can be sent back to system 30 by 



the user via the reverse path through that same commu- 
nication channel. The method of FIG. 2 is equally appli- 
cable to systems of the type shown in FIGS. 1 and 3. 

FIG. 4 shows another alternative form of the appa- 
ratus shown in FIGS. 1 and 3. In FIG. 4 the wireless 
communication device 70' associated with user 1 0 is not 
in the possession of the user. Instead, another person 
(user- approver 90) has device 70'. When user 10 
requests access to system 30. that system initiates a 
wireless transmission as before, although in this case 
the wireless transmission may include information iden- 
tifying user 10 in addition to some revalidation informa- 
tion. For example, the user identification information 
may include the telephone number from which user 10 
is attempting to access system 30, as well as the user's 
name or identification number. This user identification 
information may help user-approver 90 decide whether 
to approve the user's request for access, ff user- 
approver 90 decides to approve, the user- approver 
returns the revalidation information to system 30 via the 
reverse communication channel through elements 70', 
60', 50', and 40'. System 30 allows user 1 0 access when 
the revalidation information is thus returned to it. 

FIG. 5 shows adaptation of the method of FIG. 2 to 
a system of the type shown in FIG. 4. Many of the steps 
in FIG. 5 are the same as or similar to steps in FIG. 2, 
and this correspondence is indicated by use of the 
same last two reference number digits for the same or 
similar steps in FIGS. 2 and 5. Thus the discussion of 
many of the steps in FIG. 5 can be somewhat abbrevi- 
ated because more extensive-discussion-has^already- 
been provided for corresponding steps in FIG. 2. 

In step 210 (similar to step 110 in FIG. 2) user 10 
requests access to system 30 via communication chan- 
nel 20. 

In step 212 (similar to step 1 12 in FIG. 2) system 30 
validates user identification information provided by 
user 10 and recognizes the need for revalidation of this 
user request for access. 

In step 21 4 (similar to step 1 1 4 in FIG. 2) system 30 
identifies the activation number of the device 70' associ- 
ated with the user-approver 90 who must approve the 
user's request for access. 

In step 21 6 (similar to step 1 1 6 in FIG. 2) system 30 
generates user identification and revalidation informa- 
tion for transmission to device 70'. As mentioned above, 
this user identification information may include a name 
or code number for user 10, the telephone number from 
which the user is requesting access, etc. The revalida- 
tion information may be the same kind of revalidation 
information that is described above in connection with 
other embodiments of the invention. 

In step 21 8 (similar to step 1 1 8 in FIG. 2) system 30 
commands system 50' to call device 70* and to send it 
the information generated in step 216. 

In step 220 (similar to step 120 in FIG. 2) device 70' 
receives the above-descrtoed information, and in step 
222 (similar to step 122) device 70' supplies that infor- 
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mation to user-approver 90. 

In step 226 (similar to step 126 in FIG. 2) user- 
approver 90 sends the revalidation information back to 
system 30 if the user-approver approves the user's 
request for access. 

Remaining steps 228, 230, 232, 234. and 236 are 
respectively similar to steps 128, 130. 132, 134, and 
136 in FIG. 2 and therefore do not need to be described 
again. 

It will be understood that the foregoing is only illus- 
trative of the principles of the invention and that various 
modifications can be made by those skilled in the art 
without departing from the scope and spirit of the inven- 
tion. For example, the invention can be used with many 
different types of user 10 terminal devices, many differ- 
ent types of secured systems 30, many different types 
of remote wireless communication devices 70. and con- 
sequently many different types of remote wireless com- 
munication systems 50. To reiterate, some specific 
examples of possible uses of the invention include con- 
trolling access to computer systems, transaction 
processing systems, voice mail or voice response sys- 
tems, and secured facilities such as buildings, prisons, 
military installations, and other high security locations. 
The invention may be employed only for certain users 
such as administrators or other super users. 

Claims 



returned in said returning step matches the 
revalidation information transmitted in said 
transmitting step, and if so. allowing said user 
access to said secured system, said detecting 
5 step being performed by said secured system. 

2. The method defined in claim 1 wherein said wire- 
less communication device is a pager having a 
pager number as said activation number, and 

10 wherein said identifying step comprises the step of: 

identifying the pager number of the pager that 
the user identified by said user identifying infor- 
mation should have. 

15 

3. The method defined in claim 2 wherein said trans- 
mitting step comprises the steps of: 

placing a call to the pager having said pager 
20 number; and 

transmitting said revalidation information to 
said pager. 

4. The method defined in claim 1 wherein said wire- 
25 less communication device is a cellular telephone 

having a telephone number as said activation 
number, and wherein said identifying step com- 
prises the step of: 



A method for ensuring that a user requesting 
access to a secured system should be granted 
such access, said u se r h avi n g substa n tia l ly u n ique 



user identifying information and a wireless commu- 
nication device with a substantially unique activa- 
tion number if the user is entitled to access to the 35 
secured system, said method comprising the steps 
of: 

entering said user identifying information into 
said secured system, said entering step being ao 
performed by said user; 

CHARACTERIZED BY 
identifying the activation number of the wire- 
less communication device which the user 
identified by said user identifying information 45 
should have, said identifying step being per- 
formed by said secured system; 
transmitting revalidation information to the 
wireless communication device which the user 
identified by said user identifying information so 
should have, said transmitting step being at 
least initiated by said secured system; 
returning said revalidation information to said 
secured system, said returning step being per- 
formed by said user if said user has the wire- ss 
less communication device which said user 
should have; and 

detecting whether the revalidation information 



30 identifying the telephone number of the cellular 
telephone that the user identified by said user 
i den ti fy i ng i nformation shou l d h ave; 



The method defined in claim 4 wherein said trans- 
mitting step comprises the steps of: 

placing a call to the cellular telephone having 
said telephone number; and 
transmitting said revalidation information to 
said cellular telephone. 

The method defined in claim 1 wherein said trans- 
mitting step comprises the step of: 

generating substantially different revalidation 
information substantially each time said trans- 
mitting step is performed. 

The method defined in claim 6 wherein said revali- 
dation information is a substantially random 
number. 

The method defined in claim 6 wherein said revali- 
dation information has the general form of a con- 
ventional telephone number. 

The method defined in claim 1 wherein said enter- 
ing step is performed via a first communication 
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channel between said user and said secured sys- 
tem which is different from a second communica- 
tion channel used for transmitting said revalidation 
information to said wireless communication device; 
and wherein said returning step is performed using s 
one of said first and second communication chan- 
nels. 

10. The method defined in claim 9 wherein said return- 
ing step is performed using said first communica- io 
tion channel. 

11. The method defined in claim 9 wherein said return- 
ing step is performed using said second communi- 
cation channel. is 

12. The method defined in claim 1 further comprising 
the step of: 

disconnecting said user from said secured sys- so 
tern if said revalidation information returned 
does not match said revalidation information 
transmitted. 
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FIG. 2A 
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FIG. 2B 
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FIG. 3 
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FIG. 5A 
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FIG. 5B 
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Method for controlled access to a secured system 



(54) 

( 5 7) I n ord e r to gain a ccess to a secured syst e m, a 

user (10) must be able to enter valid user identification 
information and must also have a remote wireless com- 
munication device (70) such as a pager or cellular tele- 
phone having a number that is substantially unique to 
that user. When the user requests access to the 
secured system (30), the system places a call to the 
user's remote wireless communication device (70) and 
sends that device revalidation information such as a 
random number generated by the secured system. The 
user must return the revalidation information to the 
secured system to gain access. In an alternative 
embodiment, another person (a user-approver) has the 
remote wireless communication device (70) and must 
return the revalidation information to the secured sys- 
tem if the user-approver approves the user's request for 
access. 
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